Getting Started | Public Exploits | Try to identify the services running on the server above

Spent a while on this. use the tools mentioned in the exercise. searchsploit and msfconsole. visit the website and the answer should be right in your face.

I watched the video about this task, I did everything exactly but it doesnt work now. Exploit cant save the file /flag.txt from the remote server. I think it is just a bug.

I found the way how to download the file, you should use a little more advanced path traversal techniques. It works! But actually the knowledge was presented not enough to do it.

1 Like

no way I would have figured it out without using clues from this forum, no spoilers It took atleast 3 days about 21hours, I finally found the flag. I am now an expert on this particular exploit.

I found it using metasploit and the public way, using the web-browser is the easiest way to view the content of the downloads.

i found the flag also using the metasploit way, if you wanna know how i got this done…
check out my write-up on Public Exploits for Getting Started. Thanks

“Doesnt it say in the question?”

Thank you TazWake! This was the nudge that I needed. Need to read carefully.
Good stuff! Thanks again!

1 Like

this helped me as well

1 Like

I’m having a ton of trouble here. I found the arbitrary file read through searchsploit and gone to the directory mentioned: 142.93.47.26:30633/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt
When I do this, a 0 byte file downloads. Aside from this, I’ve tried just about every directory I could think of, but that seems like it’s wrong.
I’ve also tried using the metasploit module, set rhosts to the IP address, set rport to the port of the box, and set the filepath to /flag.txt, as mentioned in the question. When I run the module, no file downloads - it just says:
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed
I watched a video on this, and the author did exactly this, but there was another line saying that the flag.txt was saved to the msf4 loot folder.
I’ve also tried respawning the box and trying again, many times.
All to no avail. This is getting really frustrating.
Any suggestions? Is there a bug?

1 Like

try using the directory from the question :wink:

1 Like

Yep I did that. I ended up using the integrated pwnbox to be successful. Apparently Kali over the vpn was having issues.

If you have Kali when using metasploit the RHOST use the IP add and RPORT use the port given for the Spawned machine.

I’ve managed to get this done using metasploit but the method using the code in the .txt exploit and browser hasn’t clicked yet. I end up downloading blank flag.txt files and dont really seem to get anywhere.

Frustrating but just using metasploit kind of defeats the object of the module

Ok so i just figured this out by examining the code in the metasploit module .rb and cross refrencing the parameters with the .txt exploit code

Both methods complete

First you have to search in internet for Simple Backup Plugin 2.7.10 and search for their respective exploits and then load that exploit in metasploit and configure it very, very well, that is, read the requirements and that’s it

Excuse me my English is very basic

1 Like

use the feline :cat2: :innocent:

Hi guys,

I got it via msfconsole, pretty easy.

Im wondering if it can be done using a browser.
When I sent the petition, seems that the " / " character is converted into " _ "
So the filename comes as “_flag.txt”
Is this intentional in order to force us to use msfconsole?
I tried to encode and scape the " / " char but have no luck.

Someone managed to do it using the browser?

PM please!
Im very curious about it

POSTEDIT;

I just get it, curiosity send me to analize the exploit code;

lol, “depth” value gave me the hint.

depth

I wondered why the downloaded file via browser is replacing “/” and found a WP function that replaces slashes, not with “_” but seems to be a similar behaviour;

I always use Kali Linux and VPN.
However this question could not be answered without using pwnbox.
If you get empty output, try using pwnbox.

1 Like

Thanks , but I got it long time ago, empty .txt was a matter of the depth of transversal vuln dir path, dont had anything to do with pwnbox / kali or anything like that.

Hey man,

I am trying to get the flag using msfconsole, but I think I miss smth.

  • I set the RHOSTS to the IP which is spawned by HTB
  • I set the RPORT to the PORT which is spawned by HTB

So I get a file, which has nothing to do with a flag or smth.
Maybe u could give me a hint what I am missing.

Thanks in advance